Vulnerability Description
Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zeit | Next.Js | < 9.3.2 |
Related Weaknesses (CWE)
References
- https://github.com/zeit/next.js/releases/tag/v9.3.2Release Notes
- https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rjThird Party Advisory
- https://github.com/zeit/next.js/releases/tag/v9.3.2Release Notes
- https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rjThird Party Advisory
FAQ
What is CVE-2020-5284?
CVE-2020-5284 is a vulnerability with a CVSS score of 4.4 (MEDIUM). Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the ...
How severe is CVE-2020-5284?
CVE-2020-5284 has been rated MEDIUM with a CVSS base score of 4.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-5284?
Check the references section above for vendor advisories and patch information. Affected products include: Zeit Next.Js.